Cryptographic revocation method using a chip card

ABSTRACT

A cryptographic method and a chip card which is used to carry out the method. Before any calculation is performed by a computing means of the chip card, the chip card reads ( 2 ) an integral list, in a storage means of a second entity, of identifiers of first proprietary entities of a chip card. Such list is linked to each status assigned to each of the first entities by the second entity. Subsequently, the chip card compares ( 3 ) the identifier stored in a storage means of the chip card with the contents of the list, in order to authorize ( 5 ) or prohibit ( 4 ) any calculation by the computing means depending on the result of the comparison.

FIELD OF THE INVENTION

The present invention relates to the field of telecommunications andmore particularly to securing transmissions, in particular for services,using cryptography.

DESCRIPTION OF THE PRIOR ART

Electronic signature mechanisms have been developed for authenticatingthe source of a document transmitted via telecommunications means. Itshould be noted that the term “transmission in electronic form” isroutinely used to refer to the transmission of a document viatelecommunications means. In the context of the invention, the documentsin question are necessarily in digital form, as opposed to paper form;the term “message” as used in the remainder of this application refersto this type of document. The most widely used electronic signaturemechanisms are based on public key cryptographic techniques that rely onan entity known as a trusted authority. The trusted authority usuallygenerates certificates on behalf of users of standard public keymethods; these certificates establish a connection between a public keyand the identity of the proprietor of the key. To use this kind ofmethod, the person signing the message must first obtain certificationfrom the trusted authority by communicating to the authority at leasthis public key and his identity. The method calculates an electronicsignature for the message taking account of the content of the messageand of the person's private key. The signatory sends the message, thesignature and his certificate to the addressee of the message, whoverifies the electronic signature of the message using at least thepublic key and the content of the message. For some applications, suchas electronic voting, electronic bidding or anonymous electronicpayments, it is necessary to use an anonymous electronic signature. Ananonymous electronic signature has the same characteristics as anordinary electronic signature except that the addressee cannot determinethe identity of the signatory, who remains anonymous. However, theaddressee is able to contact the trusted authority, which is able toremove the anonymity by referring to the certificate. The anonymousgroup signature is one particular type of anonymous signature. Ananonymous group signature scheme enables each member of a group toproduce an electronic signature that is characteristic of the group. Theaddressee of a message accompanied by an anonymous group signature isable to verify that the signature was applied by one of the members ofthe group but is not able to determine which of the members of the groupthis was.

In the context of the invention, a group is a set of persons who declarethemselves to an authority as belonging to the same group. At the timeof this declaration, each person interacts with the trusted authorityusing a particular protocol, after which the person obtains a privatekey which is associated with a public key of the group previouslydetermined by the trusted authority, and the authority and the personobtain an identifier of the person associated with the private key. Inthe remainder of this application, each person is referred to as amember. One example of a protocol of this kind is described in the paperby J. Camenisch and M. Michels “Efficient Group Signature Schemes ForLarge Groups”, in B. Kaliski, editor, Advances In Cryptology—CRYPT097,Volume 1296 of LNCS, pages 410 to 424, Springer-Verlag, 1997. The sameinteraction occurs upon the arrival of a new member. From the point ofview of the trusted authority, the existence of a group is reflected byassigning a group public key to the group and assigning a differentprivate key to each member, each private key being associated with thepublic key and an identifier. Using his private key, a member is able toapply an anonymous group signature to a message of his choice. Anyaddressee is able to verify that the signature was in fact applied byone of the members of the group, provided that the group public key wasused. After verification, the addressee is certain either that thesignature was applied by a member of the group or that it was not, asthe case may be, but obtains no information as to the identity of thatmember; the signature is anonymous. However, the addressee may contactthe trusted authority, which is able to determine the identity of thesignatory from the encrypted identifier, by means of a public key of thetrusted authority, which accompanies the group anonymous signature. Thusthe trusted authority is able to remove the anonymity at any time.

A group may evolve after it has been set up by the trusted authority. Afirst type of change is for new persons to become members of the group.A second type of change, referred to as revocation, is for members toleave the group or to be excluded from the group. Each time the groupchanges, the trusted authority is faced with the problem of assigning toor withdrawing from a member of the group the means for applying a groupanonymous signature. The first problem that arises relates to assigninga new member the means for applying a group anonymous signature, and issolved using one of the prior art public key/private key generationalgorithms that associate as many private keys as necessary with thesame public key. One example of this kind of algorithm is described inthe paper by J. Camenisch and M. Michels “Efficient Group SignatureSchemes For Large Groups”, in B. Kaliski, editor, Advances InCryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997.

Prior Art

The second problem that arises relates to withdrawing these means from aperson, and is solved by various prior art revocation methods.

A first of these methods is described in the paper by E. Bresson and J.Stern “Efficient Revocation In Group Signatures”, in K. Kim, editor,Public Key Cryptography—PKC 2001, Volume 1992 of LNCS, pages 190-206,Springer-Verlag, 2001. This method is based on the fact that each memberof a group has his own identifier. Given that the signature must remainanonymous, it is not possible to reveal this identifier. However, inthat method, the identifier of the signatory is divided by theidentifier of each revoked member; the result of each division isdifferent from 1 if, and only if, the signatory is not a revoked member.Using an encryption algorithm, each of the results of these divisions isthen encrypted and the encrypted result is sent to the addressee,accompanied by particular elements. The addressee uses the particularelements and the encrypted results to verify that the divisions havebeen effected correctly and that all the results are different from 1,which confirms that the signature was applied by a non-revoked member.

Given that there are as many encrypted results and particular elementsas there are revoked members, this method has the drawback of generatinga group anonymous signature whose length and calculation time increasein proportion to the number of revoked members.

A second revocation method is described in the paper by H. J. Kim, J. I.Lim and D. H. Lee “Efficient And Secure Member Deletion In GroupSignature Schemes”, in D. Won, editor, Information Security AndCryptology—ICISC 2000, Volume 2015 of LNCS, pages 150 et seq.,Springer-Verlag, 2000. That method uses three keys in addition to thekeys necessary for a successful group signature scheme, namely anownership private key for each member, an ownership public key to enableeach member to verify the validity of his key, and a renewal public keyto enable each member to modify his ownership private key each time thata member joins or leaves the group. The trusted authority modifies theownership public key and the renewal key for each new member and foreach revocation of a member. Each remaining member of the group modifieshis ownership private key using the renewal key and verifies itsvalidity using the ownership public key. To sign a messageelectronically, the signatory member uses his ownership private key.Thus the addressee is able to verify the electronic signature using theownership public key. This method has the drawback of being of specificapplication in that it has proven to be secure only in a particulargroup signature scheme that corresponds to the one described in thepaper by J. Camenisch and M. Michels “A Group Signature Scheme WithImproved Efficiency”, in K. Ohta and D. Pei, editors, Advances InCryptology—ASIACRYPT'98, Volume 1514 of LNCS, pages 160-174,Springer-Verlag, 1998. Furthermore, that method has the disadvantagethat it imposes calculations on each member each time that a memberjoins or leaves the group; those calculations may become frequent if thedynamics of the group are particularly intense.

One objective of the invention is to remove the drawbacks of the priorart methods described above.

SUMMARY OF THE INVENTION

To this end, the present invention provides a cryptographic methodimplemented by a smart card of a set of smart cards each belonging to afirst entity that may be different for each smart card, each smart cardbeing equipped with a chip comprising storage means in which are storeda secret key and an identifier of the first entity that is theproprietor of the smart card and calculation means which execute acryptographic algorithm whose input arguments include at least thesecret key. The cryptographic method of the invention comprises thefollowing steps:

-   -   before any calculation by the calculation means of the chip of        the smart card, the chip reads in storage means of a second        entity a list of identifiers in complete form of first entities        that are smart card proprietors, said list being linked to each        status assigned to each of the first entities by the second        entity, and    -   the chip compares the identifiers stored in the storage means of        the chip and the contents of the list to authorize or prohibit        calculation by the calculation means as a function of the result        of the comparison.

The invention further provides a smart card for implementing the abovekind of method.

The method of the invention consists in using the chip on the smart cardto prohibit any cryptographic calculation implemented in the chip if thestatus of the proprietor of the smart card is set to “revoked” by thesecond entity. Otherwise, the status of the proprietor of the smart cardis set to “non-revoked” and the chip authorizes the calculation. Thesecond entity, which is typically a trusted authority, maintains anupdated list of the identifiers of each smart card proprietor, whosestatus is either revoked or non-revoked. The second entity stores thislist in storage means connected to a telecommunications network. Thesmart card may access those storage means via a smart card readerassociated with a computer, such as a personal computer, connected tothe telecommunications network.

Thus a revoked member is not able to carry out any cryptographiccalculation. If the cryptography algorithm installed in the chip is ananonymous signature calculation algorithm, the proprietor of the smartcard is not able to use his smart card to sign a file if he has beenrevoked.

The method of the invention may be implemented in particular ways; someimplementations are listed below, although the following list is not tobe regarded as exhaustive.

In one particular embodiment, the list comprises the identifiers ofrevoked entities, in which case the list is called a black list.

In another embodiment, the list comprises the identifiers of non-revokedentities, in which case the list is called a white list.

In another embodiment, the list is signed by the second entity, whichcalculates the signature using a signature algorithm, which may be anasymmetric public key algorithm, such as the RSA algorithm (RSA are thefirst letters of the surnames of the inventors of the algorithm). Beforeauthorization, the chip verifies the validity of the signature. In thecase of a public key signature algorithm, the chip verifies thesignature by means of the same asymmetric algorithm and using the publickey as an input argument. This verification authenticates the entirelist and therefore verifies its integrity.

In another embodiment, each identifier from the list is associated witha count value and each set formed of the identifier and the associatedcount value is signed by the second entity. The list comprises a valuefor the number of identifiers in the list and a signature for thatvalue. Each signature is calculated in the same way as in the previousembodiment. Before authorization, the chip verifies the validity of eachsignature. This verification authenticates each identifier from thelist, the associated count value and the read value of the number ofidentifiers. The chip also increments a counter each time an identifieris read, taking account of the count value associated with the readidentifier, and then compares the counter to the authenticated valuebefore authorizing calculation by the chip. This comparison verifies theintegrity of the number of read identifiers.

Other features and advantages of the invention become apparent in thecourse of the following description, which is given with reference tothe appended drawings, which show embodiments of the invention by way ofnon-limiting example.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of a cryptographic method of the invention.

FIG. 2 is a flowchart of a first embodiment of a cryptographic method ofthe invention.

FIG. 3 is a flowchart of a second embodiment of a cryptographic methodof the invention.

FIG. 4 is a flowchart of an example of the implementation by a chip ofthe second embodiment of a cryptographic method of the invention.

FIG. 5 is a diagram of a smart card of the invention.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

The method is implemented by a smart card of a set of smart cards eachof which belongs to a first entity. The first entity, typically aphysical person, may be different for each smart card. Each smart cardis equipped with a microchip that comprises storage means andcalculation means. A secret key and an identifier of the first entitythat is the proprietor of the smart card are stored in the storagemeans. A cryptographic algorithm whose input arguments include thesecret key is implemented in the calculation means.

The cryptographic algorithm may be a group signature calculationalgorithm, an encryption algorithm, or a decryption algorithm.

One example of a group signature calculation algorithm is described inthe paper by J. Camenisch and M. Stadler “Efficient group signatureschemes for large groups”, in B. Kaliski, editor, Advances inCryptology—CRYPT097, Volume 1296 of LNCS, pages 410 to 424,Springer-Verlag, 1997. Another description is given in the paper by J.Camenisch and M. Michels “A group signature scheme with improvedefficiency”, in K. Ohta and D. Pei, editors, Advances inCryptology—ASIACRYPT'98, Volume 1514 of LNCS, pages 160-174,Springer-Verlag, 1998. The RSA algorithm may be used as anencryption/decryption algorithm.

The method comprises a plurality of steps described below. For signing,encrypting or decrypting, the chip activates the calculation means,which calculate output data as a function of input arguments presentedto the input of the cryptographic algorithm.

Prior to any calculation 1 by the calculation means of the chip in thesmart card, the chip reads a list of identifiers in complete form offirst entities that are smart card proprietors. This list is stored instorage means of a second entity (operation 2). In an entirelyequivalent manner, a list read in the storage means of a second entitymay be written to the chip. Any reading operation referred to in theremainder of the description may be replaced in an entirely equivalentmanner by a writing operation. The list is linked to the status assignedto each of the first entities by the second entity. The second entitysets this status to “revoked” or “non-revoked”. The list contains eitherthe first entities that have been revoked, in which case it is called ablack list, or the first entities that have not been revoked, in whichcase it is called a white list. The second entity stores this list instorage means accessible via a telecommunications network. The storagemeans may comprise memory space on a server or on a mass storage device,for example.

The chip then compares the identifier stored in the storage means of thechip and the content of the list (operation 3). If, following thiscomparison, the chip finds that the first entity has been revoked, itprohibits calculation by the calculation means (operation 4). But if,following this comparison, the chip finds that the first entity has notbeen revoked, it authorizes calculation by the calculation means(operation 5).

The method used by a chip to carry out the above comparison is asfollows. The chip initializes a flag to 1. It compares each identifierread in succession to the identifier stored in the chip; if they are notidentical, the chip sets the flag to 1; if they are identical it setsthe flag to 0. After comparing each read identifier and the identifierstored in the chip, the chip prohibits calculation by the calculationmeans if the flag is at 1 and authorizes calculation by the calculationmeans if the flag is at 0.

FIG. 2 shows a first embodiment of the cryptographic method of theinvention. This embodiment comprises the steps described with referenceto FIG. 1, which are not described again, and additional steps describedhereinafter. At the same time as reading the list, and in the samememory area, the chip reads a signature from the list (operation 10).The signature is calculated beforehand by calculation means of thesecond entity. Before the chip authorizes calculation by the calculationmeans (operation 5), it verifies the validity of the signature in orderto authenticate the list and to verify its integrity (operation 11). Ifthe signature is not valid, the chip prohibits calculation by thecalculation means (operation 4); otherwise it authorizes calculation(operation 5).

FIG. 3 shows a second embodiment of the cryptographic method of theinvention. This embodiment includes the steps described with referenceto FIG. 1, which are not described again, and additional steps describedhereinafter. At the same time as reading the list, and in the samememory area, the chip also reads a count value associated with eachidentifier, a signature for each set, comprising an identifier from thislist and an associated count value, the value of the number ofidentifiers in the list, and a signature for that value (operations 12,13, 14). The signature for each identifier and the associated countvalue, the value of the number of identifiers, and the signature forthat value are calculated beforehand by calculation means of the secondentity and stored in the same memory area as the list. To count thenumber of identifiers, the chip increments a counter each time that thechip reads an identifier, taking account of the count value associatedwith the identifier (operation 15). Before the chip authorizescalculation by the calculation means (operation 5), it verifies thevalidity of each of the signatures to authenticate each identifier fromthe list and the number of identifiers, respectively (operations 16,17). If any of the signatures is not valid, the chip prohibitscalculation (operation 4).

After reading the list of identifiers, the chip compares the value ofits counter to the read value of the number of identifiers (operation18). If these values are different, the chip prohibits calculation bythe calculation means (operation 4). If these values are identical, thechip verifies the validity of the signature for the value of the numberof identifiers (operation 17). FIG. 4 shows the use of this secondembodiment by a chip. The chip initializes a flag to 1 and a counter to0 (operation 19). The chip reads an identifier from the list, theassociated count value, and their signature and increments the counter(operation 20). The chip compares the flag to 0 (operation 21). If theflag is not at 0, the chip compares the identifier read to theidentifier stored in the chip (operation 22); if they are not identical,the chip sets the flag to 1 (operation 23); otherwise it sets the flagto 0 (operation 24). After comparing the read identifier and theidentifier stored in the chip, or if the flag is at 0, the chip verifiesthe validity of the signature of the combination of the read identifierand the associated count value (operation 25). If the signature is notvalid, the chip prohibits calculation by the calculation means(operation 4). But, if the signature is valid, the chip waits for thenext identifier (operation 26) or, if there are no more identifiers inthe list, the chip reads the value of the number of identifiers and itssignature (operation 27). The chip compares the value of the number ofidentifiers with the value of its counter (operation 18). If thesevalues are different, the chip prohibits calculation by the calculationmeans (operation 4); otherwise the chip verifies the validity of thesignature of the value of the read number (operation 17). If thesignature is not valid, the chip prohibits calculation by thecalculation means (operation 4). If the signature is valid, the chiptests the value of the number of identifiers (operation 28). If the flagis not at 1, the chip prohibits calculation by the calculation means(operation 4), as this means that the member has been revoked.Otherwise, the chip authorizes calculation by the calculation means(operation 5).

FIG. 5 is a diagrammatic representation of a smart card of theinvention.

The smart card 30 is equipped with a chip 31 which comprises storagemeans 32, calculation means 33, means 34 for reading storage means of asecond entity via a telecommunications network, and means 35 forauthorizing calculation by the calculation means.

The storage means 32 store a secret key and an identifier of a firstentity, i.e. the proprietor of the smart card.

The calculation means 33 execute a cryptographic algorithm whose inputarguments include the secret key. The calculation means 33 are connectedto the storage means 32.

The reading means 34 are used to read a list of identifiers in thestorage means of the second entity via a telecommunications network. Thereading means 34 send the read data to the calculation means 33 and/orto the authorization means 35 via connections to each of those means.

The authorization means 35 authorize calculation by the calculationmeans 33 as a function of the results of comparing the identifier andthe contents of the list.

A smart card 30 of the above kind is used to implement a method of theinvention.

A first application of a method of the invention is to electronicvoting, which comprises two phases:

-   -   registration on an electoral list by an administrative        authority, and    -   voting using a ballot box connected via a communications network        to a voting administration server.

When registering, the elector obtains in a smart card a personal privatekey and a group private key. The anonymous signature that the electormay produce using his smart card and his personal private key isreferred to as “correlatable”. This means that, if the elector attemptsto sign a second voting slip anonymously by producing an anonymoussignature, the slip is rejected by the ballot box. Because the anonymoussignature is correlatable, the ballot box is able to verify that this isa second anonymous signature.

A malicious elector is not able to claim that he has lost his groupprivate key and receive another one, and thus be in a position to votetwice. A method of the invention prohibits him from using the firstgroup private key, as this group private key is updated when he declaresthat he has lost the first group private key. The loss of a groupprivate key by a member is managed by a method of the invention in thesame way as revocation of the member.

A second application of a method of the invention is to electronicbidding. Bidding involves three protagonists, namely a server, a trustedauthority and a client. All clients form a client group. A user wishingto subscribe to a client group must contact the trusted authority, whichsupplies his personal private key in a smart card. He thus obtains theright to produce a group anonymous signature. Using this right, he isable to sign each of his bids anonymously. At the time of a bid for acertain product, each member of the client group may bid by signing amessage containing in particular details of the product on sale and theamount of his bid. The bidding server is then able to verify that hebelongs to the group, and thus that the bid is valid, by verifying thegroup anonymous signature. The winner is the person submitting thehighest bid prior to adjudication. The last message received by thebidding server is therefore that from the winner. The server then sendsthis message and the corresponding group anonymous signature to thetrusted authority, which alone is able to remove the anonymity and thusto determine the physical identity of the purchaser of the product bidfor.

Bidding involves dynamic groups as new persons may be registered withthe group every day and a member may leave the group or be excluded forfraud at any time. It is therefore essential to set up a revocationdevice to prevent a revoked member using his signature fraudulently. Arevoked member could continue to use his group private key to bid andthus corrupt the bidding process, for example by upping the bidding. Ifhe is careful to withdraw from the bidding process soon enough not tomake the winning bid, the fraud will go undetected, since only theidentity of the winner is finally revealed. A method of the inventionsolves the problem of revocation of one or more members of the group.

A third application of a method of the invention is to electronicpayment. This involves four protagonists, namely a customer, a trader, abank and a trusted authority. Each customer must identify himself to thesystem and obtain a group private key stored in a smart card beforebeing able to carry out his first transaction. To make a payment, thecustomer must withdraw electronic “cash” from his bank. Thanks to theuse of a blind signature scheme, the cash C he withdraws is anonymous.The cash C is spent in the following manner: using his smart card, thecustomer generates a group signature applying to the cash C and sendsthe combination of the signature and the cash C to a trader. The traderverifies the signature of the bank attached to the cash C and verifiesthe group signature. If each of the two signatures is valid, the traderaccepts the transaction. At a given time of day, the trader sends hisbank the signatures and cash received in payment, for transfer to hisaccount. In the event of fraud, for example use of the same cash inmultiple transactions, the bank sends the group signature applying tothe contested cash to the trusted authority in order for it to identifyand sanction the wayward customer.

A reliable mechanism for revoking keys that have been compromised isnecessary to prevent fraud of the following type: a dishonest customerreports to the trusted authority the loss of his group private key s andthereby declines to accept any liability for fraud carried out using thekey s. The customer hands his key over to an accomplice, who is thenable to use the key s to sign cash c legitimately withdrawn from thebank and then spend the cash as many times as he wishes. A method of theinvention solves the problem of revoking the keys S.

1. A cryptographic method implemented by a smart card (30) of a set ofsmart cards each belonging to a first entity that may be different foreach smart card, each smart card being equipped with a chip (31)comprising storage means (32) in which are stored a secret key and anidentifier of the first entity that is the proprietor of the smart card(30) and calculation means (33) which execute a cryptographic algorithmwhose input arguments include at least the secret key, which method ischaracterized in that it comprises the following steps: before anycalculation by the calculation means (33) of the chip (31) of the smartcard (30), the chip (31) reads in storage means of a second entity alist of identifiers in complete form of first entities that are smartcard proprietors (operation 2), said list being linked to the statusassigned to each of the first entities by the second entity, and thechip (31) compares the identifiers stored in the storage means (32) ofthe chip (31) and the contents of the list (operation 3) to authorize(operation 5) or prohibit (operation 4) calculation by the calculationmeans (33) as a function of the result of the comparison.
 2. Acryptographic method according to claim 1, wherein the list comprisesall first entities whose status has been set to “revoked” by the secondentity and the chip (31) authorizes calculation (operation 5) only ifthe identifier stored in the storage means (32) of the chip (31) is notin the list.
 3. A cryptographic method according to claim 1, wherein thelist comprises all first entities whose status has been set to“non-revoked” by the second entity and wherein the chip (31) authorizescalculation (operation 5) only if the identifier stored in the storagemeans (32) of the chip (31) is in the list.
 4. A cryptographic methodaccording to claim 1, further comprising the following steps: at thesame time as reading the list (operation 2), the chip (31) reads asignature in the list in the storage means of the second entity(operation 10), which signature was calculated beforehand by calculationmeans of the second entity, and before the chip (31) authorizescalculation by the calculation means (33) (operation 5), it verifies thevalidity of the signature (operation 11).
 5. A cryptographic methodaccording to claim 1, further comprising the following steps: at thesame time as reading the list (operation 2), the chip (31) reads thesignatures of the identifiers in the list in the storage means of thesecond entity (operation 12), each identifier having given rise to asignature calculated beforehand by calculation means of the secondentity, at the same time as reading the list (operation 2), the chip(31) reads in the storage means of the second entity a value of thenumber of identifiers listed in that list and a signature for that value(operations 13, 14), the value and its signature having been calculatedbeforehand by calculation means of the second entity, before the chip(31) authorizes calculation by the calculation means (33) (operation 5),it verifies the validity of each of the signatures (operations 16, 17),the chip (31) counts the number of identifiers contained in the readlist (operation 15), and before the chip (31) authorizes calculation bythe calculation means (33) (operation 5), it verifies that the value ofthe counter and the read value are the same (operation 18).
 6. A smartcard (30) for implementing a method according to claim 1, wherein thesmart card (30) is equipped with a chip (31) which comprises: storagemeans (32) for storing a secret key and an identifier of a first entitythat is a proprietor of the smart card, calculation means (33) adaptedto execute a cryptographic algorithm whose input arguments include thesecret key, reading means (34) for reading from storage means of asecond entity via a telecommunications network, a list in complete formof identifiers of first entities that are smart card proprietors, saidlist being linked to each status assigned to each of the first entitiesby the second entity, and means (35) for comparing the identifier storedin the storage means (32) of the chip (31) and the contents of the listto authorize or prohibit calculation by the calculation means (33) as afunction of the result of the comparison.
 7. An article of manufacturefor use in a computer system, including a computer usable medium, forperforming a cryptographic method implemented by a smart card (30) of aset of smart cards each belonging to a first entity that may bedifferent for each smart card, each smart card being equipped with achip (31) comprising storage means (32) in which are stored a secret keyand an identifier of the first entity that is the proprietor of thesmart card (30) and calculation means (33) which execute a cryptographicalgorithm whose input arguments include at least the secret key, whereinthe computer usable medium comprises a computer readable code forcausing: before any calculation by the calculation means (33) of thechip (31) of the smart card (30), the chip (31) to read in storage meansof a second entity a list of identifiers in complete form of firstentities that are smart card proprietors (operation 2), said list beinglinked to the status assigned to each of the first entities by thesecond entity, and the chip (31) to compare the identifiers stored inthe storage means (32) of the chip (31) and the contents of the list(operation 3) in order to authorize (operation 5) or prohibit (operation4) calculation by the calculation means (33) as a function of the resultof the comparison.